The cybersecurity landscape in 2016 continued to evolve in both predictable and unpredictable ways. The data breaches continued unabated, cybersecurity took a greater profile both in the corporate boardrooms and in the public sphere.
We witnessed the power of hackers to wage an information war and influence public opinion, none more high profile than the American Presidential election and the individuals allegedly associated with the Russian government penetrated the servers of the Democratic National Committee and in turn, changing the course of the election.
We also witnessed the perils of unsecured IoT devices being used to launch major DDoS attacks, bringing down websites including Netflix, Spotify, Reddit and Amazon to name a few.
The threat of malicious and careless insiders continues to rear its ugly head and remains a cybersecurity challenge.
Stroz Friedberg have released their annual cybersecurity predictions, in it they predict 2017 will see an intensification of cybersecurity issues in the areas of nation state cyber espionage, increased data integrity attacks as well as an increase in sophistication of spear-phishing and ransomware techniques. Beyond the obvious cost in the corporate boardrooms of the world’s largest organisations, there are implications for international security, politics and economic stability.
Criminals harness IoT devices as botnets to attack infrastructure
Given the explosion of IoT devices exceeding 28 billion, expect to see an increase in compromised devices. They will increasingly be used as Botnets and used to propagate malware, SPAM, DDoS attacks and generally amplifying malicious activities. Despite the repeated request of the security community to for government regulation and set security standards to address the unprecedented risks posed by IoT devices, nothing significant has been issued. As a result, until the true effect of these unsecure devices is seen firsthand by businesses and consumers, there continues to be little financial incentive to proactively drive improvements to security standards, or take the lead in integrating security into design.
Nation state cyber espionage and information war will continue to influence global politics and policy
The 2016 American election demonstrated that democratic campaigns can be derailed or strengthened by changing the public conversations through information wars played out internationally. Public sentiment can be turned for or against candidates with information being released at the right point in the political cycle to create suspicion and uncertainty. Needless to say, this information can be extracted by anyone with interest in the political outcome with no respect to international borders.
Expect to see these information wars to play out in democracies internationally.
Data integrity attacks will continue to rise
Data loss will always be of concern to organisations but a new trend expected to impact the security landscape in 2017 is ensuring data integrity and preventing data sabotage. We have already seen the confusion and doubt created over the accuracy and reliability of information with high profile attacks which involve deleting data, editing news headlines and disrupting access to information. The U.S election season was a high profile example of what occurs when doubt is created over data integrity and what that looks like played out in the media arena.
Data at risk of manipulation at an organisational level could include tampering with financial account databases, HR payroll applications, news announcements, voter information or even company earnings. The outcomes include creating chaos, mistrust and significant damage to reputations. Ultimately this can lead to manipulation of stock prices or even ripple effects to mergers and acquisitions or even impact the closing of any significant deal or contract.
Increased sophistication of spear-phishing and social engineering campaigns
The advances we expect to see in 2017 in spear-phishing and social engineering tactics will be that they become much more targeted, sneaky and efficient in exploiting employees which traditionally have been the softest target and most difficult to secure.
With the rate of critical data moving into the cloud, we are seeing cloud service providers double down on their efforts in protecting this infrastructure. As a result, attackers will look to target their efforts on employees as a means to access data. We expect to see more spear-phishing and social engineering focusing on insiders, third-party providers and business partners to provide criminals with the necessary credentials to access the target data.
The days of being able to pick phishing attempts quickly due to crude and clunky appearance is fast disappearing, being replaced by professional and sophisticated pieces which are embedded with malware that once clicked will spread throughout the organisations systems.
Social media profiles of target employees will be studied and used to extort or exploit their vulnerabilities to provide sensitive data before embarking on a major attack to obtain credentials. The choice of targets are no longer high net worth individuals in the old sense, rather targets who can provide entry points to target networks. This can encompass business unit heads, HR, operations and finance employees.
The use of automation tools will continue unabated as they look for efficiencies just as we look for in the business world to allow for efficient exploitation particularly once they have credentials. Time is of the essence – they need to use the exploit for gain before detection and remediation takes place.
Expect to hear more about red teaming and the move to making it industry gold standard along with talent shortages in cybersecurity
As we continue to see a rise in the activity of regulators, there will be an increase in demand for in-house red teaming capabilities. Organisations whose business is not cyber centric will struggle to find, recruit and keep cyber talent to ensure they remain ahead of the threats. As expected, we will see this playing out in international financial hubs across the world.
On the point of increased regulation, we expect that the conversations around cybersecurity will continue at boardroom level with organisations increasing their in-house security capabilities in all sectors, not just finance. Sectors which will be expected to bolster their security in-house talent include critical infrastructure, healthcare and first movers in sectors such as retail.
With the uptick of cybersecurity demand, expect to see a shortage of talent to the tune of two million jobs just this year alone. Universities are frantically trying to fill the gap but this will not ease the shortage of talent who possess deep practical and technical experience.
Pre – M&A cybersecurity due diligence will become critical
Expect financial sector to be the first to herald the introduction of cybersecurity due diligence as part of any M&A activity. The idea comes out of instances where M&A activity was clouded by the realisation of the presence of security vulnerabilities as seen with the Abbott deal to purchase St Jude Medical. Once the agreement was announced, the St Jude stock was short sold on the accusation that their cardiac devices were open to cyberattacks. These revelations ultimately affected the success of the final acquisition.
Companies on the look out for acquisition targets will use cybersecurity health as one of the factors in assessing ultimate purchase price and terms.
Whilst it is no surprise that cybersecurity continues to evolve and threats remain ever present, what is new is the fact that we expect there to be an increase in mandated regulations and as a result, an impetus to act to secure your organisation.
This does not, however, mean that organisations should remain passive in their activities to secure their assets. Use these points to create a checklist to work through, think about your organisations initiatives for their threats, create awareness within your organisation and if you are unaware of your gaps, get a risk assessment done.
Improved security can never be a destination, rather a journey towards improved security posture. Invite us on your journey today.